CVE-2024-38666
published 2025-01-14CVE-2024-38666: An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially…
PriorityP264critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
18.88%
96.9th percentile
An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 0 < 5.4.0-224.244 | 5.4.0-224.244 |
| wavlink | wavlink_ac3000 | — | — |
| wavlink | wl-wn533a8_firmware | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
osv7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux-iot vulnerabilities
osv·2026-01-12·CVSS 7.8
CVE-2022-49026 linux-iot vulnerabilities
linux-iot vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
OSV
linux-raspi, linux-raspi-5.4 vulnerabilities
osv·2026-01-06·CVSS 7.8
linux-raspi, linux-raspi-5.4 vulnerabilities
linux-raspi, linux-raspi-5.4 vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
OSV
linux-oracle-5.4 vulnerabilities
osv·2025-12-19·CVSS 7.8
linux-oracle-5.4 vulnerabilities
linux-oracle-5.4 vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
OSV
linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities
osv·2025-12-11·CVSS 7.8
linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities
linux-fips, linux-aws-fips, linux-gcp-fips vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
OSV
linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp vulnerabilities
osv·2025-12-10·CVSS 7.8
linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp vulnerabilities
linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-399
GHSA
GHSA-2jw2-w8hc-jqch: An external config control vulnerability exists in the openvpn
ghsa_unreviewed·2025-01-14
CVE-2024-38666 [CRITICAL] CWE-15 GHSA-2jw2-w8hc-jqch: An external config control vulnerability exists in the openvpn
An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
No detection rules found.
No public exploits indexed.
Talos
Slew of WavLink vulnerabilities
blogs_talos·2025-01-15·CVSS 8.0
[HIGH] Slew of WavLink vulnerabilities
## Slew of WavLink vulnerabilities
Lilith >_> of Cisco Talos discovered these vulnerabilities.
Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.
The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point.
Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy . Wavlink has declined to release a patch for these vulnerabilities.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are al
Talos
Slew of WavLink vulnerabilities
blogs_talos·2025-01-15·CVSS 8.0
[HIGH] Slew of WavLink vulnerabilities
Lilith >_> of Cisco Talos discovered these vulnerabilities.
Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.
The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point.
Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s we
2025-01-14
Published